Hi all,
I am currently implementing SSL certificates in my environment and wasn't clear on one of the initial steps configuring openssl.cfg - http://kb.vmware.com/kb/2015387.
The instructions are clear, but I have the following questions;
This is the reference configuration;
Note: Replace the highlighted code with details of the server that you are configuring.
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vc50, DNS:10.0.0.10, DNS:vc50.vmware.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NY
localityName = New York
0.organizationName = VMWare
organizationalUnitName = vCenterInventoryService
commonName = vc50.vmware.com
Thanks,
Jon
Hi Jon
Regarding #1, if a vCenter component connects to the Inventory Service using hostname.domain.com, but you only setup dnsalias.domain.com in the commonName / subjectAltNames of the certificate, then hostname.domain.com will not match any identity within the certificate and the connection will not be considered 'verified'. So either:
1) Use the hostname that was confirmed when you installed IS (One of the steps was to confirm the local system name - it should have been an FQDN).
2) Add hostname.domain.com to commonName and subjectAltName, but also add dnsalias.domain.com to subjectAltName so that you are covered for all possibilities.
Regarding #2, this line is not relevant to processing the cert and is informational only. It can stay as is, or other examples that you could use for OU might be: IT, IT Operations, MIS, etc.
Cheers
Mark
Hi Mark,
Thanks for the feedback. I will do some more testing and post an update.
Do you happen to know which version of OpenSSL is the correct one as the KB article first states to use a specific version and then says a later one can be used;
First;
Important: Ensure that you are using OpenSSL version 0.9.8. If you do not use this version, the SSL implementation will fail.
And then, step 2 ...
Download the Shining Light Productions installer for OpenSSL x86 version 0.98r or later
Cheers,
Jon
I had success with OpenSSL 0.9.8y from http://slproweb.com/products/Win32OpenSSL.html
Mark
Here is a great resource and full of information http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-2.html
It helped me a great deal, trust me take a read...
Interesting - that blog post implies that the OU must be unique for each service and this kb backs it up: http://kb.vmware.com/kb/2037432 :
The OpenSSL configuration when generating requests must:
- Have the subject alternative name field included in them
- Have unique OrganizationalUnitNames for the components
- Include digitalSignature, keyEncipherment, dataEncipherment components for Key Usage
I hadn't realised that -I must have just used the default samples from that kb... The OU field is definately not necessary for cert generation, but apparently is important for SSO registration
Yes, I noticed that earlier in the week when I was googling around for information. Since I'm still on 5.0 SSO is not a concern and I will try generating the certs today using the version you had success with.